A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets. The packets are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
Certain devices, referred to as routers, maintain routing information that describes routes through the network. A “route” can generally be defined as a path between two locations on the network. Conventional routers often maintain the routing information in the form of one or more routing tables or other data structures. The form and content of the routing tables often depend on the particular routing algorithm implemented by the router.
Upon receiving incoming packets, the routers examine information within the packets, and forward the packets in accordance with the routing information. In order to maintain an accurate representation of the network, routers periodically exchange routing information in accordance with routing protocols, such as the Border Gateway Protocol (BGP), the Intermediate System to Intermediate System (ISIS) protocol, the Open Shortest Path First (OSPF) protocol, and the Routing Information Protocol (RIP).
When two routers initially connect, they typically exchange routing information. From then on, the routers send control messages to incrementally update the routing information when the network topology changes. For example, the routers may send update messages to advertise newly available routes, and to withdraw routes that are no longer available.
A network device, such as a router, customer server, workstation, or other device, can be susceptible to a network attack, such as a denial of service (DoS) attack. A DoS attack, for example, occurs when a malicious party directs a high volume of packets to the network device in an attempt to sabotage network operation. The high traffic volume can overwhelm the network device, leaving it unable to process the inbound packets. For example, in one type of DoS attack, a perpetrator sends a large number of “ping” requests to network broadcast addresses, which are special addresses used to broadcast messages to other devices on the network. When sending the requests, the perpetrator spoofs the source address of a network device targeted by the attack. In response to the requests, the other network devices reply to the targeted routing device, thereby inundating the targeted routing device with packets.
One technique for preventing or otherwise reducing the effects of network attacks is to drop network traffic that is associated with a specified network destination. In some instances, routing protocols have been used to convey information describing the network destination. For example, some network service providers currently utilize BGP to distribute routing entries that specify network destinations for which traffic is to be dropped. These techniques, however, provide little flexibility as the BGP routing entries “mark” the network destinations in a manner to indicate that all traffic bound for those destinations should be dropped.